A verified Chrome VPN extension with more than 100,000 installs has been exposed as dangerous spyware. Researchers revealed that FreeVPN.One secretly captured screenshots of every website users visited, including sensitive content like private messages, social media chats, photos, and financial information. The stolen screenshots were quietly uploaded to servers controlled by the developers, along with data that identified each user.
This discovery highlights a growing problem with malicious browser extensions posing as trusted security tools. FreeVPN.One appeared safe because it carried a verified badge in the Chrome Web Store, yet its real purpose was hidden surveillance. The incident shows how trust in browser extensions can be abused, and why users must be cautious with what they install.
How the Chrome VPN Extension Worked
Investigators revealed that FreeVPN.One misused the Chrome tabs.captureVisibleTab() API. This function, normally intended for limited use, was triggered automatically in the background. Content scripts injected into every site allowed screenshots to be taken without user awareness.
The extension introduced suspicious updates over time. In April 2025, it added the <all_urls> permission. By June, it launched an “AI Threat Detection” feature that justified even deeper access. In July, spyware capabilities became fully active. Shortly after, developers added encryption to hide data transmissions from detection.
Why the Spyware is Dangerous
The scale of exposure is massive. With over 100,000 users, the spyware could access banking dashboards, social media chats, and private documents. Encryption ensured the stolen screenshots were difficult to trace, making the theft stealthier than typical malware infections.
The fact that the extension carried a verified badge highlights weaknesses in Chrome Web Store vetting. Many users trusted the VPN extension because of its appearance in the official store. Instead, it acted as surveillance software.
Protecting Yourself from Chrome VPN Extension Spyware
Users are advised to uninstall FreeVPN.One immediately. Anyone who installed the extension should also reset passwords for accounts accessed during its use. Reviewing browser extensions regularly helps minimize risks.
Safer VPN options exist, particularly those from audited providers with transparent policies. Users should also remain cautious of extensions requesting broad permissions such as <all_urls> or tabs.
Final Thoughts
The exposure of Chrome VPN extension spyware marks one of the most serious cases of browser-based surveillance in recent memory. Instead of protecting user privacy, FreeVPN.One turned Chrome into a constant recording device that documented nearly everything users did online.
This case is a reminder that not all security tools are what they seem. Even extensions with verified badges can conceal malicious features designed to exploit trust. Moving forward, users should be cautious with browser add-ons, rely on VPN providers with established reputations, and closely review extension permissions before granting access.
Chrome VPN extension spyware is more than a single rogue tool. It represents a larger trend of attackers using the disguise of privacy software to exploit unsuspecting users. Awareness and careful decision-making remain the strongest defenses against this type of digital surveillance.
